ING Information Security Management Focal points for the future Giuliano Merlo Head of Operational Risk and Security ING Direct Italy CPEXPO Exhibition Genova - October 30 th, 2013
ING ING is a Banking and Insurance group, Netherlands based, offering banking products, investments, insurance and pension products. With 61 millions of clients, ING is present in Europe, North America, Latin America and Asia. The pillars of ING strategy are: CUSTOMER CENTRICITY OPERATIONAL EXCELLENCE TOP EMPLOYER 2
ING DIRECT Italia 2001: 2004: 2005: 2008: 2009: 2011: 2012: 2013: nasce la banca in Italia, con il prodotto Conto Arancio, il primo conto di deposito italiano che avrà grande successo arriva il primo utile in anticipo rispetto alle previsioni. Si lanciano i mutui oggi offerti a tasso variabile, fisso, rata costante i primi fondi low cost arriva il conto corrente a zero spese (anche l imposta di bollo è gratuita) lancio del trading on line e completamento della gamma dei fondi lancio delle filiali lancio di Assicurazione Vita lancio della App per Android e per iphone 3
ING DIRECT in numbers 95% digital customers 200.000 downloaded Apps in 6 months 1.100 average of downloads per day 13 bank shops New Customers 50% self-service 50% face-to-face Servicing 95% self-service 5% face-to-face Multichannel acquisition and self-service in operations activity 4
Information Security Trends: from Here to 2020 Data Explosion Always-On Connected World Infrastructure Revolution Future of Banking Tougher Regulations Multiple Internets New Identity and Trust Models Increase sharing of sensitive data between Companies and individuals Proliferation of devices generating traffic Greater need for data classification and protection Greater connectivity driven by social networking Greater connectivity between devices Increased connectivity with national infrastructure and public services Centralisation of computer resources (ex data centres) through cloud computing Greater importance with regards to Outsourcing Bring Your Own Device Increased level of electronic and mobile commerce banking Development of new payment models Cybercrime growth Increase of national and internationl regulation (Basel 3, etc ) Increasing attention to (Customers ) Data Privacy Pressure to develop new Information Risk Management Standards Greater censorship Political motivations driving new state/regional internets New and more secure closed networks Continuous decline of effectiveness of current identity models New models of trust to be developed for people and assets Identity as a key factor to move from perimeter security to information based security 5
Information Security Focal Points (2012-2015) Cloud Computing Data Leakage Prevention Trust Model Security architecture with focus on proactive risk based protection Physical and logical separation at any level of the stack User Access Management granular enough to enable/control: Remote access and BYOD Cloud computing opportunities Federated Identity and Access Management Effective and mature security monitoring (correlation included) New effective data classification approach Mobile Banking Collaboration/ Social Media Open Bank Standards CyberCrime Innovation in order to become more flexible, agile and sustainable Rethinking of Information Risk Management approach Bank in A box Zero Touch Infrastructure Clear strategy/policy to cope with collaboration and social media needs Cybercrime framework up to date with current threat levels Increase effectiveness of CERT in: Response time Damage control across the organization 6
CyberCrime CyberCrime Generic Organizational Improvements Generic IT Improvements E-Frauds DDoS APT 7
APT - Challenges Attacker related Company Related Attackers (e.g. criminals, activists, companies and governments) are rapidly growing more mature: Objective: It is very difficult to understand attackers underlying goals, objectives and motivations Tools and methods used are rapidly increasing in level of sophistication. Malware is designed for specific attacks and difficult to detect by generic anti-malware or anti-virus software Resources: Attackers have increased time, funds and communities available to do their job. For organizations, it is very difficult to assess what is normal intended behavior versus an advanced persistent threat: Complexity: in large organizations, the majority of business processes cross the internal organizational boundaries Size: datacentres, servers, thousands of connections to the outside world (email, WiFi, internet, file transfers, etc ) Understanding & conviction: both on an individual level and an organizational level the understanding and conviction for APT as a topic is insufficient. Weakest link: The lateral movement in an attack makes that one weak link is sufficient to enter the network. The overall risk is the risk of the weakest link. 8
APT - Principles Attacker related 1. Every IT asset should be treated as if it is directly connected to the internet. It is no longer useful to make distinction between external and internal systems 2. Change of mindset: think as if we are already hacked, i.e. we need to shift our focus from 100% prevention to a more balanced focus on prevention, detection and response 3. The approach needs to focus on regular fire drills, i.e. attacking ourselves, to test prevention, detection and response capabilities Company Related 4. Improving capability for APT resilience will be the primary responsibility of every individual business unit and each unit should work on that in a consistent manner 5. There is the need of a centralized program that will: Regularly measure and report on the maturity of the different parts of the organization truly share of services such as information gathering, information sharing, training, global response team and global security operational and monitoring control center 9
Q/A? 10
Thanks Thank you 11